Open fbmei opened 1 week ago
Hi,
thats an interesting corner case/bug you found. Sadly I don't have access to an NetIQ directory so I can't reproduce/check. Feel free to propose a PR with a fix!
Thanks in advance.
Hi,
I have encountered a problem with my fix. Since it is possible for the LDAP server to send new referrals while performing a paged search, I need to account for that. This results in a near reimplementation of the ldap3.extend.standard.PagedSearch.paged_search_generator method, with only small changes for the size limit check. The code looks so similar to the code from the ldap3 project that I am unsure if I can submit it in that form. This is the first time I am contributing to an open-source project, and I am not sure how to handle such a situation. Since the ldap3 project is licensed under the GPL and eduMFA is under the AGPL, I do not know if it would be possible to use the method from ldap3, modify it to fix the problem, and credit the author from ldap3.
Best regards, Fabian Meier
Top-level intent
Import users with the LDAPIdResolver from a NetIQ eDirectory with a limit of 500 users.
Steps to reproduce
1.Set up LDAPIdResolver for NetIQ eDirectory with size limit of 500. 2.Restart eduMFA 3.Open users dashboard and reload users two times in a row.
Expected outcome
500 users should get loaded after the first reload and loaded again after the second.
Actual outcome
The first reload works and 500 users get loaded. After the second reload the list is empty.
Configuration
Log file
More Information
I've debugged the issue so far, and I think I found the problem. The LDAP server is not setting the paged search cookie to null when the size limit is reached. This leads to more search requests, which overwhelm the server and cause it to respond with incorrect message IDs. This looks like an issue with NetIQ eDirectory, but it also makes it unusable with eduMFA. I've also observed that, for example, Apache DS enforces its size limit on the client side and stops sending new search requests after the size limit has been hit. I have implemented a fix that handles the paged search cookie on its own and enforces the size limit on the client side to make the implementation more robust against problematic servers. I will attach a pull request when the tests are complete.